tag:blogger.com,1999:blog-35441502584923453052014-08-19T15:32:08.807-07:00Open Web Application Security ProjectThe Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.Unknownnoreply@blogger.comBlogger427125http://users.feedblitz.com/307df89e1022561af7c8e066545c4237/owasp_logo.jpghttp://owasp.blogspot.com/2014/08/owasp-august-19-connector.htmltag:blogger.com,1999:blog-3544150258492345305.post-15642812451199126992014-08-19T15:32:00.000-07:002014-08-19T15:32:08.820-07:00OWASP August 19 Connector<font color="#000000" >

Featured OWASP Project

OWASP Web Spa ProjectThe OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command. It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.For more information, please contact the Project Leader, Oliver Merki.

New OWASP Projects

OWASP Rainbow Maker ProjectOWASP Rainbow Maker is a tool aimed to break hash signatures. It allows testers to insert a hash value and possible keywords and values that might used by the application to create it, then it tried multiple combinations to find the format used to generate the hash value. For more information, please contact the Project Leader, Tal Melamed.OWASP KALP Mobile ProjectOWASP KALP Mobile App Project is for OWASP users around the world who want to access the Top Ten vulnerabilities on the go (on their mobile), download the Top Ten and Email it. This is light weight information of OWASP Top Ten. This will be an android application fetching database of vulnerabilities from OWASP server. Any new additions to cheat sheets and prevention cheat sheets will automatically accessible on the mobile app. For more information, please contact the Project Leader, Kishor Sonawane.

Project Announcements

From Daniel Cuthbert, Co-Project Leader of the OWASP Application Security Verification Standard ProjectIt gives me immense pleasure to finally release version 2 of the Standard for all to enjoy. The community feedback on this has been overwhelming and it's great to see so many of you investing time and effort into what Sahba and I feel is an incredibly important OWASP project.As with all standards, I'm sure this will be made better as people use it and we welcome the additions.Again, a huge thanks to all the contributors who helped shape version 2 and I cannot wait to hear how this is being used.It can be downloaded from the ASVS page HEREDocumentation Volunteers Needed for the OWASP Mantra OSThe OWASP Mantra OS is looking for one or two volunteers to assist with documentation for the next release of Mantra OS. OWASP Mantra OS is a secure sandboxed operating system built for application testing and fast secure computing, built on a Ubuntu Core. If you are interested in helping the OWASP Mantra OS Dharma release, contact project leader, Greg Disney-Leugers

Upcoming Regional Events

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact usFraud Summit Toronto, (Sept 8, 2014) Toronto, Canada. (ISC)2 Security Congress, (Sept 22 - Oct 2), OWASP Members save $355 off of the non-(ISC)2 Member Full Conference Pass. Attendees can expect over 80 educational sessions designed to strengthen cybersecurity defenders, focus on current and emerging issues, best practices, and challenges facing cybersecurity leaders.EC-Council Hacker Halted(October 12-17, 2014) Atlanta, GA ISSA International Conference (October 22-23), 2014, Orlando, FLSuits & Spooks, (December 14), Singapore.

CLICK HERE to view the candidates bio and "why me?" information in a Google DocumentCLICK HERE to view the OWASP Election pageThe next step is, the candidates will conduct individual interviews answering questions from the community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate's interview. If you have a question you would like to submit, please do so here.For a complete Election Time line, Click Here

Member voting is open until Friday, August 22, 2014

OWASP members should have received a notification and a link to cast your vote from our voting provider, Simply Voting. This is YOUR opportunity to recognize another in our community for their outstanding efforts, so be sure to congratulate all the nominees and cast your vote for the one nominee in each category who will be publicly recognized in during an awards ceremony at AppSec USA in Denver.You can read all about the nominees HERE

OAS and OWASP Sign Agreement on Cyber Security

The General Secretariat of the Organization of American States (OAS) recently signed a Memorandum of Understanding with the Open Web Application Security Project (OWASP) to facilitate a closer level of collaboration on the issue of cyber security and allow each partner to reach a broader audience.CLICK HERE to read the complete press release!

Just for Fun

Congratulations to Robin Wood who was the first person to solve last week's challenge: Answer: The Rose Red City is 7 billion years old.Click here to view last issue's puzzleHere is this issue's challenge...Imagine that you have some wooden cubes.You also have six paint tins each containing a different color of paint.You paint a cube using a different color for each of the six faces.How many different cubes can be painted using the same set of six colors?Remember that two cubes are different only when it is not possible, by turning one, to make it correspondent with the other.Send your answers to our comment desk for a chance to win a prize. Winners will be announced in the next connector.

It gives me immense pleasure to finally release version 2 of the OWASP Application Security Verification Standard for all to enjoy. The community feedback on this has been overwhelming and it's great to see so many of you investing time and effort into what Sahba and I feel is an incredibly important OWASP project.

As with all standards, I'm sure this will be made better as people use it and we welcome the additions and feedback.

OWASP AppSec USA 2014 Adds Leading Global Experts to List of Speakers

Are you registered for the upcoming OWASP conference? We are excited to be getting closer to the OWASP AppSec USA event and we have now announced our roster of keynote speakers.

The premier software security conference for developers, auditors, risk managers, technologists and entrepreneurs will take place at the Denver Marriott City Center, Sept. 16-19. Below are the keynotes:

•Bruce Schneier, CIO, Co3 Systems, Inc. is an American cryptographer, computer security and privacy specialist, and writer. He is the author of several books on general security topics, computer security and cryptography. (Sept. 18, 8:00 a.m.)

•Renee Guttmann, vice president, Accuvant Office of the CISO is an accomplished global information security and privacy executive with a proven track record of establishing internationally recognized information security programs for Fortune 500 companies. She is the former CISO of Coca-Cola. (Sept. 18, 4:30 p.m.)

•Gary McGraw, CTO, Cigital is a recognized authority on software security, an author of eight books on software security topics and is an editor of a software security series as well as several peer-reviewed papers. (Sept. 19, 8:00 a.m.)

•In addition to keynote sessions, AppSec USA will offer several interactive events. For the first time ever, the conference will feature “Code Brew,” a home-brewing contest judged by brewers from some of Colorado’s top craft breweries, and two full days of training featuring five tracks including developers, builders, breakers, defenders, and a hands on skills lab.

To find out more about OWASP AppSec USA 2014, participate in “Code Brew”, or REGISTER for the conference, please visit www.2014.appsecusa.org/2014/

The OWASP Ghana Cybersecurity Conference will take place in Accra, Ghana this December for the second year in a row! The event dates are December 10 - 11, 2014. It amazes me that there are so many places on planet earth where OWASP is active in some way.

I was lucky enough to be one of the speakers at the first OWASP Ghana conference in west Africa. It was quite an amazing experience. It's rare where you get the chance to attend a security conference in the morning and do some seine beach fishing with a large team of locals early that evening. They fish the whole ocean at once, it was quite amazing. :)

]]></font><p><div style="clear:both;"><hr>
This post brought to you by the <a href="https://www.owasp.org/index.php/Application_Security_News">OWASP AppSecNews feed</a></div></p>
]]>
Jim Manicohttp://www.blogger.com/profile/11117151394525124128noreply@blogger.com0http://owasp.blogspot.com/2014/08/this-friday-is-deadline-to-submit-your.htmltag:blogger.com,1999:blog-3544150258492345305.post-71440081654267730112014-08-13T10:02:00.003-07:002014-08-13T12:44:41.144-07:00THIS FRIDAY is the DEADLINE to SUBMIT your CANDIDACY for the 2014 OWASP BOARD OF DIRECTORS<font color="#000000" >Just a reminder that this FRIDAY, AUGUST 15 is the DEADLINE to submit your candidacy for the 2014 OWASP Global Board Of Directors.

]]></font><p><div style="clear:both;"><hr>
This post brought to you by the <a href="https://www.owasp.org/index.php/Application_Security_News">OWASP AppSecNews feed</a></div></p>
]]>
Kelly Santaluciahttp://www.blogger.com/profile/05678812160245297729noreply@blogger.com0http://owasp.blogspot.com/2014/07/at-last-appsec-europe-owasp-media.htmltag:blogger.com,1999:blog-3544150258492345305.post-36357213328241834612014-07-31T18:02:00.000-07:002014-07-31T20:25:43.792-07:00Videos from AppSec Europe 2014<font color="#000000" >AppSec Europe, OWASP Media Project with the help of Münster University of Applied Sciences IT Security Lab has put 40 videos online for 70 hours of content. This includes the whole live stream of three tracks each two days of the conference during a YouTube Streaming Event and on an alternate German stream. The week after, we made a playlist of all the 33 individual talk that were recorded.

Now for some stats, covering from June 25th 2014 to July 25th 2014.

We are at 2,074 views and 20,228 of estimated watched minutes.

As for the subscribers, we are at 1,572 and we gained 294 of them during the AppSecEU efforts.

The average view duration is 13:55 minutes. Since we have 6 videos that last more than 6 hour for each track of streaming, that number is a little boosted.

Most of the views comes from the live event. For the record, we had around 60 people watching at peak.

We were watched in 84 countries in total. A heat map of view counts enable us to see all locations:

OWASP Media Project has done another big step with this streaming event for a conference. Since last AppSecUSA we also managed to gather at the same place the Global Webinars and the OWASP Community Update. With all this we are now at more than 150 videos with 1,572 subscribers for a total of 63,669 views.

The next step with be AppSecUSA 2014. We'll try to setup live streaming as well as having the recordings for you in a timely fashion.

Featured OWASP Project

OWASP Proactive ControlsThe OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development.For more information, please contact the Project Leaders, Jim Manico or Jim Bird

New OWASP Project

OWASP Top Trumps for ProjectsIf you haven't played Top Trumps, it's a simple game that can be learned in 30 seconds. It is as addicting as it is fun, with the added advantage of being educational in the process. Each card in the deck represents a real world OWASP project with 6 attributes that can be used to challenge other projects. The purpose of this project is to raise awareness of all OWASP projects in a fun and community oriented way. For more information, please contact the Project Leader, Mark Miller.

Project Announcements

Technical Reviewers Needed!The Code Review Guide Project is forming a dedicated team of technical reviewers. They are looking for a small group of individuals for this task, around 5 developers. Please let Please contact Gary Robinson or Larry Conklin know what your qualifications are, and they will get back with you on specific work tasks.Developers Needed!The Code Review Guide Project is also seeking developers who have examples in PHP, Ruby on Rails, HTML5, Drupal, Coldfusion, CodeIgniter, Java Spring and Structs. The examples they need are for SQL injection, framework issues, iss configuration errors, XSS and other issues that a code reviewer would raise a red flag if the reviewer sees one of these examples in the code being reviewed. If would be great if the example bad code has an example of how the code should be written in a secure manner. This is an exciting team that is doing something that has a very real impact on the larger software developer comm unity. Please contact Gary Robinson or Larry ConklinProjects Task Force Code Analysis ReportsOver the past week, Johanna Curiel has been putting together code analysis reports for flagship candidate projects. The results of these reports will be posted on the Projects Task Force page in this week and next. Click Here for more information on the task force and it's progress.

Upcoming Regional Events

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us

Member voting will begin Friday, August 8, 2014

The third annual WASPY awards voting will begin August 8th. OWASP members will be receiving a notification and a link to cast your vote from our voting provider, Simply Voting. This is YOUR opportunity to recognize another in our community for their outstanding efforts, so be sure to congratulate all the nominees and cast your vote for the one nominee in each category who will be publicly recognized in during an awards ceremony at AppSec USA in Denver.You can read all about the nominees HERE

2014 Global Board of Directors Election

Please visit our 2014 Board Elections page for frequent updates. Our Call for Candidates is only open until August 15! Please submit your candidacy here.Once confirmed, the candidates will conduct individual interviews answering questions from the community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate's interview. If you have a question you would like to submit, please do so here.For a complete Election Time line, Click Here

OWASP Community Manager Position - Open for applicants

Are you interested in working for OWASP and supporting volunteer efforts around the world? Consider applying for our Community Manager position.OWASP Community ManagerFull Time, SalariedThe OWASP Community Manager is responsible for coordination and oversight of volunteer opportunities and initiatives for the OWASP community. Furthermore, this position will focus on providing operational support to OWASP Chapters globally and is responsible overseeing and disseminating the organization's policies, objectives, and initiatives as they relate to OWASP Chapters.Details about the position and how to applyPlease help us spread the word about the position by posting to your chapter/project lists, adding to applicable job boards, or forwarding to any individuals that you think would be interested.

Just for Fun

Congratulations to Steven Avery who was the first person to solve last week's challenge: 93 hens to produce 12 eggs in 6 daysClick here to view last issue's puzzleHere is this issue's challenge...A rose-red city is half as old as Time. One billion years ago the city's age Was just two-fifths of what Time's age will be A billion years from now.Send your answers to our comment desk for a chance to win a prize. Winners will be announced in the next connector.Can you comput how old the crimson city is today?

]]></font><p><div style="clear:both;"><hr>
This post brought to you by the <a href="https://www.owasp.org/index.php/Application_Security_News">OWASP AppSecNews feed</a></div></p>
]]>
Kate Hartmannhttp://www.blogger.com/profile/11455208653239036763noreply@blogger.com0http://owasp.blogspot.com/2014/07/owasp-community-manager-position-open.htmltag:blogger.com,1999:blog-3544150258492345305.post-43751353344035607082014-07-29T10:58:00.000-07:002014-07-29T11:44:24.478-07:00OWASP Community Manager Position - Open for applicants<font color="#000000" >Are you interested in working for OWASP and supporting volunteer efforts around the world? Consider applying for our Community Manager positionOWASP Community ManagerFull time, SalariedThe OWASP Community Manager is responsible for coordination and oversight of volunteer opportunities and initiatives for the OWASP community. Furthermore, this position will focus on providing operational support to OWASP Chapters globally and is responsible overseeing and disseminating the organization’s policies, objectives, and initiatives as they relate to OWASP Chapters.Details about the position and how to apply: https://virtualmgmt.applicantpool.com/jobs/11646.html

Please help us spread the word about the position by posting to your chapter/project lists, adding to applicable job boards, or forwarding to any individuals that you think would be interested.

OWASP Committees 2.0 Operational Model

Passed by a vote of the OWASP Board of Directors on July 16, 2014.

I. Introduction

There is a disconnect amongst OWASP Leadership in terms of determining who is empowered to make decisions for our organization. It is our belief that the Board has expressed the desire to empower our leaders, but has, at times, questioned the decisions made. The goal of the plan which follows is to empower all OWASP leaders who have an idea that merits action with the ability to act.

II. High-Level Proposal

OWASP will once again reinstate a committee structure for participation in key aspects of our organization. This may include Chapters, Projects, Conferences, Governance, and other topics to be determined later. The key difference between the proposed committees and those of OWASP past will be in the empowerment to take action. OWASP Committees may, at any time, conduct a vote to enact change within the stated scope of the committee without prior approval from the Board.

III. Committee Creation

At any point in time, a community member may propose a new committee via the OWASP Leaders List stating their rationale and desired scope for creating a new committee. After a community discussion, with perceived majority support and no major arguments against, the OWASP Board of Directors will establish whether there is a conflict of interest with any existing committees and whether the formation of that committee is in line with with OWASP goals. If no conflict is determined to exist, the Board will initiate a public call for OWASP members interested in committee membership, via the OWASP Community mailing list, with a seven day time window. So long as the committee receives at least five OWASP members applicants, the Board will vote on the committee creation. A majority vote of support from the Board is sufficient for establishment of a new committee with all OWASP member applicants being granted committee membership.

IV. Committee Scope

The scope of an OWASP committee is established during the initial proposal for the new committee. In the event that a community member believes that a committee has taken actions outside of it’s scope or would like to adjust the scope of a committee, then they may state their rationale and desired response via the OWASP Leaders List. After a community discussion, the OWASP Board of Directors will establish the validity of any scope disagreement or proposed scope amendment. A majority vote of the Board of Directors is required to modify the scope of any OWASP committee.

V. Committee Membership

Any community member is welcome to participate in and provide feedback to an OWASP committee. Committee membership (voting privileges and leadership responsibilities), however, is limited to those who meet the following criteria:

1) Individual must be an OWASP member in good standing. 2) Individual must have the written endorsement of either a current committee member or an OWASP Board member. 3) Individual must demonstrate a history of at least three months participation in the committee for which they are applying for membership.

Any person who satisfies the above criteria may, by way of the public committee communication medium outlined in section VIII below, request to be granted membership to the committee. The committee will then conduct a vote on the applicant, via the same medium, and if the majority of members agree, they will be granted committee membership as well.

Active committees are responsible for conducting a poll of members, at least every six months, asking each if they would like to continue to serve on the committee. Committee members who respond “No” or who do not respond at all during a seven day time window will be removed from membership.

A member of a committee leadership team may have their membership removed for reasons of inactivity over a period of at least six months or misconduct by a unanimous vote of the remaining members of the committee.

If at any point in time, for any reason, committee membership is less than five people, then the committee leadership must initiate a public call for OWASP members interested in committee membership with a seven day time window. All qualified applicants must be accepted to join the committee as committee members. If there are not at least five committee members at the end of the seven day window, the committee will automatically be removed due to a lack of participating interest with that committee’s functions being reassumed by the OWASP Board of Directors.

Committee members are required to report any infractions of OWASP Foundation policies and procedures to the OWASP Board of Directors.

VI. OWASP Staff Participation

The OWASP Foundation will provide a designated staff member to support each active committee from an operational perspective. The staff member may participate in the committee as a community member, but will not serve as a voting member of the leadership team due to a potential conflict of interest. Participating staff are required to report any infractions of OWASP Foundation policies and procedures, by the committee, to the OWASP Board of Directors. The committee leadership team will be invited to provide feedback for the assessment of their assigned staff member by being invited to provide an annual evaluation of their committee related activities, capability and professionalism.

VII. OWASP Board Participation

Members of the OWASP Board of Directors are allowed to become committee members, but participate as normal committee members with no special powers either expressed or implied. While Board member participation in committees is encouraged, Board members must refrain from taking an active leadership role for the committee.

VIII. Committee Communication

All committees are required to hold their discussions in the open in order to enable participation by any member of the community. All official committee discussions (written and verbal) must be archived in a publicly accessible location so that the community may observe committee actions at any point in time. Use of the OWASP Force Portal for Committees is strongly encouraged as it provides logical conversation grouping, an archive of conversations, document attachment capability, participation metrics, and more, but other technologies may be used as long as it is agreed upon by all committee members and all relevant information is linked from the respective Committee wiki page. Committees that wish to solicit assistance from outside participants for committee activities are strongly encouraged to do so using the OWASP Initiatives framework.

Committees are required to notify the OWASP Community, via the OWASP Leaders List, in writing of any official votes and provide a written summary of actions taken on a minimum of a monthly basis. Committee decisions are considered official once a record has been published to the community. The Board is responsible for reviewing committee actions and ensuring that the committee is acting within it’s pre-defined scope and in accordance with the OWASP Foundation Bylaws as well as all other applicable policies and procedures.

IX. Committee Organization

All committees are responsible for being self-organized. The includes determining their own leadership structure, coordinating committee meeting schedules at least monthly, taking and publishing notes of committee meetings, assembling monthly action summaries, culling inactive committee members, and ensuring compliance within the defined scope and various OWASP policies and procedures.

X. Committee Removal

If at any point in time an OWASP Leader believes that a committee is no longer necessary or that the scope of one committee conflicts with the scope of another, they may bring up this concern via the OWASP Leaders List. After a community discussion, the OWASP Board of Directors will hold a vote on the committee removal. A ⅔ majority vote of the Board is required for the removal of a committee.

XI. Empowerment

As the goal of this proposal is the empower our leaders to be able to take action on behalf of the organization, no Board vote is necessary for any initiative of the committee provided that the following is true:

1) The action is within the stated scope of the committee.

2) If money is required, the action follows the guidelines set forth in the Community Engagement Funding document.

3) No contracts are being executed by the committee on behalf of the OWASP Foundation.

4) The action is in line with the OWASP Foundation Code of Ethics and is pursuant to OWASP’s mission.

If any of these is not true, then the OWASP Board of Directors should be consulted for approval prior to the committees execution.

XII. Accountability

Because the committee is acting on behalf of the OWASP Foundation, but as a separate entity from the OWASP Board, the committee members are expected to conduct their actions with regard to the OWASP Mission, the OWASP Code of Ethics, and the Board’s annual strategic goals. The committee and it’s members will ultimately be held accountable for any actions that are not in line with these key principles or that are outside of the pre-determined scope of the committee. Perceived violations should be brought to the attention of the OWASP Leaders List along with all substantiating evidence. After a community discussion, the Board may veto the actions of the committee by a majority vote of the Board of Directors.

XIII. Conclusion

We believe that empowering our volunteers to take action is core to the execution of OWASP’s mission. With the above committee structure, we believe that the right pieces will be in place to provide the organization with effective governance as well as checks and balances to ensure unbiased operation. We hope that you will agree that executing on this is in the bests interests of the future of the OWASP Foundation.

]]></font><p><div style="clear:both;"><hr>
This post brought to you by the <a href="https://www.owasp.org/index.php/Application_Security_News">OWASP AppSecNews feed</a></div></p>
]]>
Tom Brennanhttp://www.blogger.com/profile/07303005472675953158noreply@blogger.com0http://owasp.blogspot.com/2014/07/appsec-usa-2014-offers-world-class.htmltag:blogger.com,1999:blog-3544150258492345305.post-90757932898234316692014-07-15T10:19:00.000-07:002014-07-15T10:19:01.466-07:00AppSec USA 2014 Offers World-Class Training Sessions<font color="#000000" >“Something that looks like a protocol but does not accomplish a task is not a protocol—it’s a waste of time.” ― Bruce Schneier, Applied Cryptography

You won’t want to miss Bruce Scheier’s keynote at the AppSec USA 2014 conference September 16-19 in Denver.But you also can’t afford to miss AppSec USA’s two full days of training sessions featuring top experts collaborating with you and your peers on the latest application security challenges and industry trends.

This course is designed to provide attendees with the core concepts required to make informed decisions about what cryptographic primitives and APIs are safest to use in practice. The content will include approximately 50% lecture and 50% labs or other exercises to reinforce the concepts presented.

Managing and improving your global information security organization; Leverage OWASP and common best practices to improve your security programs and organization; Achieving cost-effective application security; Bringing it all together on the management level.

After the training the participants will be able to assess, audit and exploit Ruby on Rails applications. This includes knowledge about the inner workings of the framework itself as well as a set of decent payloads for practical demonstration of vulnerabilities.

This hands-on course enables students to understand how easily mobile devices and applications can be attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls.

]]></font><p><div style="clear:both;"><hr>
This post brought to you by the <a href="https://www.owasp.org/index.php/Application_Security_News">OWASP AppSecNews feed</a></div></p>

Featured OWASP Project

OWASP Java Encoder ProjectThe OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting! The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.1.1.jar, import org.owasp.encoder.Encode and start encoding.For more information, please contact the Project Leaders, Jeff Ichnowski and Jim Manico

New OWASP Projects

OWASP Faux BankFaux Bank has all 10 of the top vulnerabilities implemented, as well as fixes for these vulnerabilities. The idea is that developers can see a real-world system with vulnerabilities, so that they can see what to look for and how to write secure code. The OWASP Faux Bank wiki page can be found here. For more information, please contact the Project Leader, Davie Elliott.OWASP Store Sheep ProjectOWASP Store Sheep is a work in progress application do demonstrate security concepts relating to Windows Store Apps. Store Sheep is a training app for Developers wishing to learn to securely code a Windows Store ('Metro Style') App, and Testers wanting to learn to test one. It contains a number of security vulnerabilities with explanations and fixes for them. The project page for the OWASP Store Sheep project can be found here. For more information, please contact the Project Leader, Marion McCune.OWASP SonarQube ProjectOWASP Sonarqube Project consist to deliver a set of "standard" profile for security, like OWASP Top10 profile, ASVS profiles, PCI-DSS profile,ISO 27034ASC profile, ....who can be used by team with the support of OWASP Community. More than 20 programming languages are covered through plugins including Java, C#, C/C++, PL/SQL, Cobol, ABAP. The OWASP SonarQube Project is looking to expand the offered languages, and is looking for language experts in .NET, PHP and any other language. The project page for the OWASP SonarQube Project can be found here. For more information, please contact the Project Leaders, Sebastien Gioria. and Freddy MalletOWASP URL CheckerOWASP URL Checker is an open source scrip-table tool to scan websites for URL's which may lead to information divulging, exploits and common attack patterns. This tool will check a user defined website for potentially exploitable/ vulnerable URL's by comparing them against the URL extensions in the database. The project page for the OWASP URL Checker can be found here. For more information, please contact the Project Leader, Craig Fox.

Project Announcements

OWASP Security Shepherd New VersionThe new version of the OWASP Security Shepherd Project was released earlier this month. The project now has 50 lessons and challenges based on risks from both the Top Ten Mobile and Web App Security Risk lists. OWASP Security Shepherd is perfect for those who are looking to learn about appsec for the first time or are well seasoned in the arts of pen-testing and are looking for a challenge.More information can be found ON THE WIKI PAGE or you can contact the project leader Mark DenihanResearch Assistant Needed for the Developer guideThe Developer Guide Project is looking for an honors student or masters student to replicate the 1979 paper by Morris and Thompson. It has been many years since we've had statistically sound research into the basic properties of the password. Morris and Thompson introduced countermeasures that we still use today (30 day password rotation, min six character passwords) that made sense for a PDP 11/870 back in 1979. The project leaders would like a cryptographer research student or masters student to help look into session tokens, particularly RESTful API tokens. The basic topic would be a short paper on the necessary properties to protect against session prediction, session recovery, side channel attacks against sessions, and investigate a few sample session issuers, such as RESTful API in common use. If you are interested in helping the Developer Guide, please contact Andrew van der Stock.New Set of Architectural Security PrinciplesThe Reverse Engineering and Code Modification Prevention project has released a set of architectural security principles that enforce integrity preservation in mobile apps. This is an updated list of principles / controls that security architects will find useful when enforcing code integrity within their mobile apps.For the complete list of the integrity controls and underlying security principles, check out the Architectural Principles sub-project.New Dependency Check Version 1.2.3 Out NowOn June 28th, the OWASP Dependency Check released version 1.2.3. Dependency Check can be used to analyze an applications dependent libraries (Java and .NET) to identify and report on any known, published vulnerabilities related to the libraries being used. The tool will be demoed during the Black Hat Arsenal in Las Vegas on Wednesday, August 6th.You can find the newest release of the OWASP Dependency Check on the project page.

OWASP Foundation Social Media

WASPY Award Nominations are Complete

Every year a group of individuals including researchers, developers, security professionals, and others work to ensure the security of web applications. Some of these individuals are featured in news stories or at conferences as recognized experts. But there are many other 'unsung heroes' that work every day to improve web application security and yet are rarely recognized.The Web Application Security People of the Year (WASPY) Awards is the OWASP Community's opportunity to recognize those individuals who have made an impact by leveraging the OWASP platform.THE 2014 NOMINEES AREBest Chapter Leader

Sebastien Deleersnyder - Belgium

Jonathan Marcil - Montreal

Riotaro Okada - Japan

Ron Perris - Orange County

Sen Ueno - Japan

Best Project Leader

Tokuji Akamine - OWASP XSecurity Project

Spyros Gasteratos - OWASP Hacademic Challenges Project

Achim Hoffman - OWASP O-Saft

Jeremy Long - OWASP Dependency Check

John Melton - OWASP AppSensor

Matteo Meucci - OWASP Testing Project

Best Mission Outreach

AppSec USA 2013 Team - AppSec USA 2013

Jonathan Marcil - OWASP Videos

Mostafa Siraj - Cairo Chapter

Best New Community Supporter

AppSec APAC 2014 Team - AppSec Asia Pac 2014

Robert Dracea - AppSec Asia Pac 2014 - Japan

Beth Guth - South New Jersey

Takanori Nakanowatari - AppSec Asia Pac 2014 - Japan

Congratulations to all the nominees! You can read the full write up on each persons accomplishments on the 2014 WASPY Awards Wiki PageHonorary Membership applications now being accepted.CLICK HERE to find out if you qualify for Honorary Membership Deadline to submit your application is September 30, 2014. .

Just for Fun

We would like to congratulate Javier Coirolo for submitting the first correct response to last issue's puzzle. Thank you everyone who submitted responses.Click here to view last issue's puzzleHere is this issue's challenge...A chicken farmer has figured out that a hen and a half can lay an egg and a half in a day and a half. How many hens does the farmer need to produce one dozen eggs in six days?Send your answers to our comment desk for a chance to win a prize. Winners will be announced in the next connector.

Governance

Request for Comment: Committees 2.0 Structure

The model outlined below represents a potential implementation of the idea currently being described as OWASP Committees 2.0. We aim to leverage the lessons learned from our previous committee model to create a new model that grows our leadership circles and empowers our leaders for more rapid action, while still ensuring that their activities stay true to OWASP's core values. It is still a work-in-progress, but represents the contributions from the OWASP Board, the OWASP Executive Director, OWASP Staff, Dinis Cruz, Johanna Curiel, and various others. Click here to review the document.This is your opportunity to have a voice in the future of OWASP governance. We look forward to hearing your thoughts on this proposal.

2014 Global Board of Directors Election

Please visit our 2014 Board Elections page for frequent updates. Our Call for Candidates is only open until August 15! Please submit your candidacy here.Once confirmed, the candidates will conduct individual interviews answering questions from the community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate's interview. If you have a question you would like to submit, please do so here.For a complete Election Time line, Click Here

Global Board of Directors Meeting Times

Interested in what is going on with the Board of Directors? Board meetings are open to the public, and upcoming meetings as well as agendas are posted to the Board wiki pageUpcoming 2014 Meetings

July 9, 2014 9am-10am PST

August 13, 2014, 9am-10am PST

September 10, 2014, 9am-10am PST

September 16, 2014, 6pm - 9pm MST (in person at AppSec USA

Reminder: Discussing Governance at OWASPWe have an open mailing list for discussing the overall topic of governance at OWASP. Click Here to browse the list archives.

Initiatives

OWASP Winter Code SprintWe are thrilled to announce the launch of OWASP Winter Code Sprint (OWCS) for this upcoming Autumn/Winter (Sept 14-March 15).What is OWCS? The OWCS is a program to involve students with Security projects. By participating in OCWS a student can get real life experience while contributing to an open source project and getting university credits.How it worksAny OWASP project that will give you university credits can participate in OCWS. Each project will be guided by an OWASP expert along with a professor. Students are graded by their University, based on success criteria identified at the beginning of the project.Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. OWASP does not influence the way grades are allocated. The OWASP advisers will provide any information professors need in order to grade their students.How to participate?As a Student:

OWASP Meet and Greet at BlackHat USA

What does this mean? Chapter and Project leaders that are already planning on attendingBlackHat USA 2014 can sign up for a 2 hour slot (or more) to promote their chapter and/or project at the OWASP booth. This will allow conference goers that may only know you via email to put a face to a name. It will also provide you visibility to thousands of individuals to promote your chapter and/or project.We have a limited amount of "Expo Only" passes available if you were not planning on attending BlackHat but will be in Las Vegas on Wednesday, August 6 and/or Thursday, August 7 and want to promote your chapter/project at the OWASP booth.Leaders will be showcased for the time(s) you select and the leader with the most visitors over the two days will win a prize!To help us promote your chapter and/or project, please fill in the time(s) that best accommodates your schedule to be showcased at the OWASP BlackHat booth here. BSides 2014 Las Vegas Tuesday, August 5 - Wednesday, August 6Anyone that will be in Las Vegas and would like to help promote OWASP at our BSides booth is welcomed! Please select the time(s) that best fit your schedule to volunteer at the OWASP booth here. The volunteer with the most visitors over the course of the two days will win a prize!

Our Community Manager, GK Southwick, gave her 2 week notice to OWASP on June 27, 2014. GK's last day will be this upcoming Friday, July 11.

Although GK has only been with us a short time, we appreciate the hard work and dedication she has had in trying to make headway in managing requests for new and existing chapters, starting a revamp of our merchandise request process and ensuring that community members' merchandise requests are answered in a timely fashion, and assisting with volunteer initiatives.

We wish GK best of luck in her future endeavors, including her great contributions to the AppSec community through her involvement with B-Sides Las Vegas and many other industry events.

OWASP will be re-hiring for the community manager position shortly. Stay tuned for updates on the application process and hiring timeline.

Do not forget that chapter leaders can attend the conference free of charge by using a discount code when registering. Additionally, there are discount codes for the leaders to join training sessions (ask us for these codes).

We truly appreciate your help with promoting AppSec US 2014, and hope to see you in Denver.

​I am sure you all know at least one person who contributes and does amazing things for OWASP, yet flies under the radar. This is the perfect time to nominate them for the WASPY Awards so they receive the global recognition and thanks they deserve.

OWASP AppSec Europe 2014 will be presenting six (6) tracks of live content directly from the conference's main rooms. Event will start on June 25 and June 26 at 9:15AM GMT+1. And if you miss it, keep calm and watch later on since all the recorded content will be available into the following playlist:

During the session we aim to create a gathering of software developers sharing good and bad coding examples, with the goal of educating everyone reading the code review guide on what to do (and what not to do) when coding web sites.

In the session we will be looking for code examples on topics such as:

Authentication

Authorization

SSL/TLS Implementations

JSON

HTTP headers

SQL Injection

Secure communications

Frameworks (Spring, Struts, Drupal, Ruby on Rails, Django, etc)

See the flyer for more information on the session, and come along to share ideas,

Featured OWASP Project

OWASP .NET ProjectThe OWASP.NET Project is the clearinghouse for all information related to building secure .NET web applications and services. The goal of the project is to provide deep content for all roles related to .NET web applications and services. The focus of the project is on guidance for developers using the framework, OWASP Components that use .NET. The wiki page for the OWASP.NET Project can be found HEREFor more information, please contact the Project Leader, Bill Sempf

New OWASP Projects

OWASP Project MetricsThe goal of this project is to create an automated tool able to connect to the majority of distributed version control systems (DVCS) and generate data to measure project activity and quality using metrics and standard practices. For more information, please contact the Project Leader, Federico Figus.OWASP iOSForensiciosForensic is a python tool to help in forensics analysis on iOS. It get files, logs, extract sqlite3 databases and uncompress .plist files in xml. For more information, please contact the Project Leader, Florian Pradines.OWASP Secure Development TrainingProduce an open source training curriculum for secure development training. This training material can be used freely by trainers to be delivered in person and in commercial settings or accessed directly by students in video recorded format. For more information, please contact the Project Leader, Tobias Gondrom.OWASP PHP Security Training Project The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. For more information, please contact the Project Leader, Timo Pagel.

Project Announcements

Cyber Security Startup InitiativeThe latest OWASP Global Initiative will be participating in this year's Project Summit at AppSec EU. The aim of the Cyber Security Startup Initiative is to create opportunities for innovation in application security by promoting the creation of open source prototype tools produced by teams looking to form a startup.More information can be found ON THE WIKI PAGEThe initiative's Project Summit session will take place on June 24, 2:00pm - 6:00pm. To sign up to take part in the session, sign up to attend HEREAny questions about the initiative can be directed to the initiative leaders: Neill Gernon and Marco Morana.Project Summit 2014We are just a few weeks away from AppSec EU and the Project Summit. There are some great sessions planned for the two days. The full session schedule can be found HERE. The Project Summit is a fantastic opportunity to workshop your project and gather new volunteers for your project. The Project Summit will be taking place June 23-24 Anglia Ruskin University in Cambridge, UK and is free and open to the Community. You do not need a conference pass to attend the Project Summit.The full conference schedule can be found HERE and you can add Project Summit session to SCHED.org.

2014 Global Board of Directors Election

Please visit our 2014 Board Elections page for frequent updates. Our Call for Candidates is only open until August 15! Please submit your candidacy here.Once confirmed, the candidates will conduct individual interviews answering questions from the community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate's interview. If you have a question you would like to submit, please do so here.For a complete Election Time line, Click Here

Bi-Weekly Community Call

Bi-Weekly OWASP Town Hall meetings have been started by Michael Coates. The next one is scheduled for June 17th at 9am Pacific time. If you have any updates or announcements regarding OWASP that you would like to share with the world, please add it to the wiki page The meetings are held using google hangouts and live broadcast. They are always recorded and publicly posted via YouTube This is NOT a slide presentation. Items posted on the wiki will be discussed, and questions will be accepted over twitter or hang out chat.

Call For Volunteers (CFV) for AppSec EU

For just 8 hours of your time and effort, we'll provide you with a full conference pass. We need folks to work registration desk as well as room proctors, speaker liaisons, ticket takers for the conference dinner, and more! Shifts start on Monday for the Trainings and run through Thursday, so there's plenty of opportunity for you to get in your required time and still see the talks you want to attend. Sign Up Today

Just for Fun

Congratulations to Calle Svensson who was the first person to solve last week's challenge: 98 coinsClick here to view last issue's puzzleHere is this issue's challenge...The government pays farmers a specific fee for each row of four trees that they plant. An enterprising, but dishonest farmer found a way of planting five rows of four trees using only ten trees. How did he do it?Send your answers to our comment desk for a chance to win a prize. Winners will be announced in the next connector.

The OWASP Cornucopia project has been shortlisted for an award in a competition run by the .UK registrar.

What is the OWASP Cornucopia Project? OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

Many thanks to everyone involved and also the project leader, Colin Watson
]]></font><p><div style="clear:both;"><hr>
This post brought to you by the <a href="https://www.owasp.org/index.php/Application_Security_News">OWASP AppSecNews feed</a></div></p>
]]>
Michael Coatesnoreply@blogger.com0http://owasp.blogspot.com/2014/06/owasp-whats-next-community-discussion.htmltag:blogger.com,1999:blog-3544150258492345305.post-70838298573416938442014-06-12T11:49:00.000-07:002014-06-12T11:49:09.040-07:00OWASP - What's Next - Community Discussion<font color="#000000" >recently announced that she'll be stepping down in August. We wanted to provide additional information on what's next for OWASP.

OWASP Community,

Many thanks again to Sarah for her time and dedication to OWASP. Sarah and the entire operations team has made tremendous strides for OWASP over the years. We’re sad to see Sarah go, but at the same time we feel very happy for her and the exciting events in her future.

While OWASP is made up of many great individuals, we are more than just a collection of individuals. Focused on the mission, we donate countless hours in our volunteer efforts just to make the world a better place. For us at OWASP we pursue this through advancing and bringing awareness to application security.

As we’ve seen over the past week there are many changes at OWASP. This is a natural evolution of an organization and also an opportunity for new leaders to step forward.

What’s next? With every transition we have the opportunity to pause and ask, “what should we do to move forward?” Sometimes this is to continue along the same path as before. Other times it is to shift into a new direction. There are several changes happening here at OWASP and we should evaluate what move is best for our growing community. This could be a straight backfill or this could be something new. As a community, let’s have that discussion.

A few specific items:

Open

There are many different paths forward for OWASP. As a community let’s determine where we want to go. The discussion and process will be open to all. Though we may have different ideas ultimately the community as a whole will reach a path forward and we can all rally around the next steps.

Focus on Community

We must continue to look at how we advance OWASP to empower community. OWASP is a unique organization and we need to build structures that are cognizant of our volunteers and their contributions, and also work in the distributed world wide organization that we are. This is more than just talk too. We need to address the hard questions so we can build a well functioning system that is exciting and welcoming for our community.

The business side of OWASP is no small task. We have legal entities in US and Europe, income from events around the world, tax and legal obligations and more. In the interim we will be hiring a third party firm that specializes in the business operations of non-profits. This will enable OWASP to focus on what we do best, application security. In addition, the third party will also ensure the business side of the house is in order. This is a short term engagement that will be re-evaluated as part of our larger discussion.

OWASP Operations Team

The operations team works tirelessly to advance OWASP. We are truly grateful for their efforts. The business group mentioned above will augment our operations team. Every member of the operations team plays a critical role and we need them to be able to focus on their areas of expertise.

Although things will be changing in some areas of OWASP as we all evaluate the best structure, it is still crucial to provide a single point of contact for the operations team. In the interim the operations team will report directly to the chairman of the board, Michael Coates.

Continuing the conversation

This is only the beginning of the conversation. Here are several ways to continue sharing ideas.

1. Open Town Hall

A google hangout is scheduled for next week at Monday, June 16, 7am Pacific (hangout link & world time conversions). The call will be recorded and streamed live. You can join the call in real time or submit your questions ahead of time via google moderator.

2. Google Moderator

Have an idea to share? Want to dive into a different proposal? Use the google moderator to have a free form conversation with just enough structure in the tool so good ideas can rise up.

3. Mailing lists

The age old mailing lists (the OWASP leaders list and the OWASP community list) are still there and will of course be used. But, sometimes good ideas get lost here in long threads. So please consider capturing important items within google moderator too.

Change can sometimes feel a bit uncomfortable, but at the same time it can be a great opportunity. Let’s embrace this opportunity to develop the future of OWASP together.

We are wishing our Sarah all the best for the future and looking forward to all of your feedback, ideas, and energy that made OWASP the great organization it is today and which will lead OWASP into the future.

On Friday May 23, 2014, I gave notice to the Board of Directors that I will be resigning as Executive Director of OWASP. As some of you already know, I am pregnant with my first child and, now, have decided to take this opportunity to stay at home with the baby after she is born in late August. This has been a difficult and bittersweet decision, as I am sad to leave OWASP but very excited for this new chapter in my life full of its own challenges and experiences.

In the past three and a half years since I started working with the OWASP community on the 2011 Global Summit, I have had the great fortune of working with many volunteers around the world both virtually and in person. I will treasure that work and all of the efforts and enthusiasm I have experienced first hand in the community. Thank you to each and every one of you for your continued contributions to support OWASP as an organization and, most importantly, for your hard work improving the security of software.

The Board will be following up shortly with the community to provide more details on next steps for OWASP. I plan to continue working to support the ongoing efforts and initiatives of the Foundation over the next couple of months, enabling a smooth transition of my responsibilities upon my departure in August.

As we work through this transition, if you have questions and comments I encourage you to share them with me, the Board of Directors, and other community leaders via theowasp-leaders andowasp-community mailing lists.

Sincerely,

Sarah Baso

Executive DirectorOWASP Foundation

]]></font><p><div style="clear:both;"><hr>
This post brought to you by the <a href="https://www.owasp.org/index.php/Application_Security_News">OWASP AppSecNews feed</a></div></p>
]]>
Unknownnoreply@blogger.com0http://owasp.blogspot.com/2014/06/appsec-eu-call-for-volunteers-is-now.htmltag:blogger.com,1999:blog-3544150258492345305.post-65579450668084479982014-06-12T05:36:00.000-07:002014-06-12T05:36:09.023-07:00AppSec EU Call for Volunteers is now OPEN!!<font color="#000000" >It's that time! The Call For Volunteers (CFV) for AppSec EU is now live! For just 8 hours of your time and effort, we'll provide you with a full conference pass (£500.00). We need folks to work registration desk as well as room proctors, speaker liaisons, ticket takers for the conference dinner, and more! Shifts start on Monday for the Trainings and run through Thursday, so there's plenty of opportunity for you to get in your required time and still see the talks you want to attend.